MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74
SHA3-384 hash: 95083b2854de9d6163472220c70f3f6607c73432d4f3c8d81ffbc87c8ee4873bf4adef62e0dd9ff28f638afdafc72bb7
SHA1 hash: 0c8ca6a0561211855ee0221679c9a8229d3ffc34
MD5 hash: 1574ff6b71f6e5afec8a3e1a9177a960
humanhash: seven-nine-cold-sink
File name:instZIP.647838x64.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:81'544'280 bytes
First seen:2026-05-15 15:55:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b73a9ca3e4848b0eed5bd1463e47750 (3 x ValleyRAT)
ssdeep 196608:RCSdnRPsSGRcQw3mZM1xazzLJHc6STvrmCSdaF92kOXHpl6OqfzRUyYGfgkSsFfv:rRP+RcQwW61A6jDrVrRnosaEwu
TLSH T14208194EFB01CED3F546923458978BA02772ECB54BA1830332657B2C6FBF2485EE6594
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter Ling
Tags:exe SilverFox Trojan/SilverFox.bm[lddel] ValleyRAT


Avatar
CNGaoLing
Trojan/SilverFox.bm[lddel]
IOC (Domain h5uw8h.oss-cn-beijing.aliyuncs.com)

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8dad375a-bb1c-445a-81b7-92b5e550ee60/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-05-15 15:58:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26ce9d44-0c28-429f-954f-57a136e8270f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a07421f953bbcef1c9083ff
Tags:
shellcode virus blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm expired-cert explorer fingerprint installer-heuristic invalid-signature keylogger lolbin microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/6a074207efbd399b39b15ab7/reports/5fa1f7ce-e666-4cb9-a6df-4fbf240bfa7f/overview
Verdict:
Malicious
Labled as:
Trojan/Injector.c
Link:
https://www.hybrid-analysis.com/sample/9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-15T11:13:00Z UTC
Last seen:
2026-05-16T02:04:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.EtwTamper.alu Trojan.Win32.Agent.sba Trojan.Agent.HTTP.C&C HackTool.Multi.AmsiETWPatch.sb
Link:
https://opentip.kaspersky.com/9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74/results?tab=lookup
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74
Gathering data
Verdict:
Malicious
Threat:
HackTool.Win32.AmsiETWPatch
Link:
https://tip.neiki.dev/file/9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-05-15 15:58:08 UTC
File Type:
PE+ (Exe)
Extracted files:
56
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ty72kzpebj5dp2sjhlqystrkby5dlf37zljwnmmhvxjc2pztnj2a._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe 9e3fa565e40a7a37ea493ae1894e2a0e3a35977fcad366b187add22d3f336a74

(this sample)

  
Delivery method
Distributed via web download

Comments